Communications system

ABSTRACT

The present invention relates to a communications system ( 1 ) for handling communications sessions, for example multimedia calls or voice calls. The communications system ( 1 ) comprises a local terminal ( 10 ), an external server ( 40 ), a proxy interface agent (PIA) ( 11 ) between the terminal ( 10 ) and a shared network ( 20 ). The communication means includes a NAT function ( 32 ) through which the communications session must pass. The communications session is carried over the network ( 20 ) over one or more logical channels between the terminal ( 10 ) and the external server ( 40 ), during which the first NAT function ( 32 ) applies network address mappings on the terminal&#39;s transport addresses ( 14 ). The PIA ( 11 ) acts on behalf of the terminal ( 10 ) in communications with the external server ( 40 ), and establishes a logical channel on an outbound connection to the server that serves as a control channel between the PIA ( 11 ) and the server ( 40 ). The PIA ( 11 ) establishes dynamic outbound connections to the server ( 40 ), and in response to a request from the server or in response to a request from the PIA itself ( 11 ), makes one or more associations between the terminal&#39;s transport address(es) ( 14 ) and identifiable logical channel(s) between the PIA ( 11 ) and the server. These identifiable logical channel(s) are established on one or more of the dynamic outbound connections from the PIA ( 11 ) to the server ( 40 ).

BACKGROUND

[0001] a. Field of the Invention

[0002] The present invention relates to a communications system forhandling communications sessions, for example multimedia calls or voicecalls.

[0003] b. Related Art

[0004] This document presents an invention that allows endpoints (usinga real-time protocol, for example H.323, SIP or MGCP) located indifferent secure and private IP data networks to be able to communicatewith each other without compromising the data privacy and data securityof the individual private networks. The invention relates to a methodand apparatus that has the advantage of working with existing securityfunctions, firewalls for example, and NAPT (Network Address PortTranslation) functions that may occur in firewalls, routers and proxies.The benefit of the invention is that it saves on the costs of upgradingthose devices to be fully protocol (e.g. H.323) compliant or deployingadditional protocol aware (e.g. H.323) devices. The invention presentedin this document applies to those deployments where simple (1-to-1) NAT(Network Address translation) mapping may be applied at the edge of theprivate networks and/or to deployments where NAPT (Network Address andPort Translation) is applied at the edge of the private networks. The 2configurations can coexist and the apparatus can allow communications totake place between private networks following one configuration andprivate networks following the other configuration. Similarly within asingle private network, some terminals may use one configuration (e.g.dedicated room systems) whereas other terminals may use the secondconfiguration (e.g. desktop client PCs). Note that for the purpose ofthis document NAT will refer to all types of network addresstranslation.

[0005] The invention presented in this document is illustrated withreference to the ITU H.323 standard as that is the predominant standardfor real-time multimedia communications over packet networks includingIP networks. However, it is equally applicable to other standards ormethods that need to dynamically assign ports to carry bi-directionalinformation (e.g. IETF Session Initiation Protocol (SIP)). It is a majorbenefit of this invention that the private network infrastructure(firewalls and routers) need not be aware of the protocol used forreal-time communication, and that the method of tunnelling real-timetraffic in and out of a private network may also be protocol agnostic.This allows enterprises to deploy apparatus without regard to theprotocol. That is not to say that some implementations may provide‘protocol’ checking for security or other reasons.

[0006] The rapidly evolving IP (Internet Protocol) data network iscreating new opportunities and challenges for multimedia and voiceCommunications Service Providers. Unprecedented levels of investment arebeing made in the data network backbone by incumbent telecommunicationoperators and next generation carriers and service providers. At thesame time, broadband access technologies such as DSL and cable modemsare bringing high speed Internet access to a wide community of users.The vision of service providers is to make use of the IP data network todeliver new voice, video and data services right to the desktop, theoffice and the home alongside high speed Internet access.

[0007] The H.323 standard applies to multimedia communications overPacket Based Networks that have no guaranteed quality of service. It hasbeen designed to be independent of the underlying transport network andprotocols. Today the IP data network is the default and ubiquitouspacket network and the majority (if not all) of implementations of H.323are over an IP data network. Other protocols for real-time (voice andvideo) communications, for example, SIP and MGCP also use the IP datanetwork for the transport of call signalling and media. New protocolsfor new applications associated with the transport of real-time voiceand video over IP data networks are also expected to be developed. Themethods presented within this invention will also apply to them, andother protocols that require multiple traffic flows per single session.

[0008] The importance of standards for wide spread communications isfundamental if terminals from different manufacturers are tointer-operate. In the multimedia arena, the current standard forreal-time communications over packet networks (such as IP data networks)is the ITU standard H.323. H.323 is now a relatively mature standardhaving support from the multimedia communications industry that includescompanies such as Microsoft, Cisco and Intel. For example, it isestimated that 75% of PCs have Microsoft's NetMeeting (trade mark)program installed. NetMeeting is an H.323 compliant software applicationused for multimedia (voice, video and data) communication.Interoperability between equipment from different manufacturers is alsonow being achieved. Over 120 companies world-wide attended the lastinteroperability event hosted by the International MultimediaTelecommunications Consortium (IMTC), an independent organisation thatexists to promote the interoperability of multimedia communicationsequipment. The event is a regular one that allows manufacturers to testand resolve inter-working issues.

[0009] Hitherto, there had been a number of barriers to the mass uptakeof multimedia (particularly video) communications. Ease of use, quality,cost and communications bandwidth had all hampered growth in the market.Technological advances in video encoding, the ubiquity of cheap IPaccess and the current investment in the data network coupled with therollout of DSL together with ISDN and Cable modem now alleviates most ofthese issues making multimedia communications readily available.

[0010] As H.323 was being defined as a standard, it was assumed thatthere would be H.323-H.320 gateways that exist at the edge of networkdomains converting H.323 to H.320 for transport over the wide areabetween private networks. Therefore, implementations of H.323 over IPconcentrated on communications within a single network.

[0011] However, IP continues to find favour as the wide area protocol.More and more organisations continue to base their entire data networkson IP. High speed Internet access, managed Intranets, Virtual PrivateNetworks (VPNs) all based on IP are commonplace. The IP trend is causingH.320 as a multimedia protocol to decline. The market demand is toreplace H.320 completely with H.323 over IP. But perhaps the main marketdriver for transporting real-time communications over IP across the WAN(wide area network) is voice. With standards such as H.323 and SIP usershad begun to use the Internet for cheap voice calls using theircomputers. This marked the beginning of a whole new Voice over IP (VoIP)industry that is seeing the development of new VoIP products thatinclude Ethernet telephones, IP PBXs, SoftSwiches and IP/PSTN gatewaysall geared at seamlessly delivering VoIP between enterprises and users.H.323, SIP and MGCP are expected to be the dominant standards here.

[0012] Unfortunately, unforeseen technical barriers to the real-world,wide area deployment of H.323 and SIP still exist. The technicalbarriers relate to the communications infrastructure at the boundariesof IP data networks.

[0013] Consequently, today, successful implementation of multimedia orvoice communications over IP are confined to Intranets or privatemanaged IP networks.

[0014] The problems arise because of two IP technologies—Network AddressTranslation (NAT) and Firewalls. Security is also an issue whenconsidering solutions to these problems. Where deployments of real-timecommunications over the data networks transverse shared networks (forexample the public Internet), enterprises must be assured that nocompromise to their data security is being made. Current solutions tothese problems require the outside or external IP address(es) ofenterprise to become public to anyone with whom that enterprises wishesto communicate (voice communications usually includes everyone). Theinvention presented herein does not suffer this shortfall as enterprisesexternal IP address(es) need only be known to the ‘trusted’ serviceprovider which is how the public Internet has largely evolved.

[0015] NAT has been introduced to solve the ‘shortage of addresses’problem. Any endpoint or ‘host’ in an IP network has an ‘IP address’ toidentify that endpoint so that data packets can be correctly sent orrouted to it and packets received from it can be identified from wherethey originate. At the time of defining the IP address field no-onepredicted the massive growth in desktop equipment. After a number ofyears of global IP deployment, it was realised that the number ofendpoints wanting to communicate using the IP protocol would exceed thenumber of unique IP addresses possible from the address field. Toincrease the address field and make more addresses available requiresthe entire IP infrastructure to be upgraded. (The industry is planningto do this with IP Version 6 at some point).

[0016] The solution of the day is now referred to as NAT. The first NATsolution, which is referred to as simple NAT in IETF RFC1631, uses aone-to-one mapping, came about before the World-Wide Web existed andwhen only a few hosts (e.g. email server, file transfer server) withinan organisation needed to communicate externally to that organisation.NAT allows an enterprise to create a private IP network where eachendpoint within that enterprise has an address that is unique onlywithin the enterprise but is not globally unique. These are private IPaddresses. This allows each host within an organisation to communicate(i.e. address) any other host within the organisation. For externalcommunication, a public or globally unique IP address is needed. At theedge of the private IP network is a device that is responsible fortranslating a private IP address to/from a public IP address—the NATfunction. The enterprise will have one or more public addressesbelonging exclusively to the enterprise but in general fewer publicaddresses than hosts are needed either because only a few hosts need tocommunicate externally or because the number of simultaneous externalcommunications is smaller. A more sophisticated embodiment of NAT has apool of public IP addresses that are assigned dynamically on a firstcome first served basis for hosts needing to communicate externally.Fixed network address rules are required in the case where externalequipment needs to send unsolicited packets to specific internalequipment.

[0017] Today, most private networks use private IP addresses from the10.x.x.x address range. External communications are usually via aservice provider that offers a service via a managed or shared IPnetwork or via the public Internet. At the boundaries between the publicand private networks NAT is applied to change addresses to be uniquewithin the IP network the packets are traversing. Simple NAT changes thecomplete IP address on a one-to-one mapping that may be permanent ordynamically created for the life of the communication session.

[0018] Web Servers, Mail Servers and External servers are examples ofhosts that would need a static one-to-one NAT mapping to allow externalcommunications to reach them.

[0019] A consequence of NAT is that the private IP address of a host isnot visible externally. This adds a level of security.

[0020] An extension to simple NAT additionally uses ports for thetranslation mapping and is often referred to as NAPT (Network AddressPort Translation) or PAT (Port Address Translation). A port identifiesone end of a point-to-point transport connection between 2 hosts. Withmass access to the World-Wide-Web (WWW), the shortage of public IPaddresses was again reached because now many desktop machines needed tocommunicate outside of the private network. The solution as specified inIETF RFC 1631, allows a many-to-one mapping of private IP addresses topublic IP address(es) and instead used a unique port assignment(theoretically there are 64 k unique ports on each IP address) on thepublic IP address for each connection made from a private device outinto the public or shared network. Because of growth of the Internet,PAT is the common method of address translation.

[0021] A peculiarity of PAT is that the private IP address/port mappingto public IP address/port assignments are made dynamically, typicallyeach time a private device makes an outbound connection to the publicnetwork. The consequence of PAT is that data cannot travel inbound, thatis from the public network to the private network, unless a previousoutbound connection has caused such a PAT assignment to exist.Typically, PAT devices do not make the PAT assignments permanent. Aftera specified ‘silence’ period has expired, that is when no more inbounddata has been received for that outbound initiated connection, the PATassignment for that connection is unassigned and the port is free to beassigned to a new connection.

[0022] While computers and networks connected via a common IP protocolmade communications easier, the common protocol also made breaches inprivacy and security much easier too. With relatively little computingskill it became possible to access private or confidential data andfiles and also to corrupt that business information maliciously. Theindustry's solution to such attacks is to deploy ‘firewalls’ at theboundaries of private networks.

[0023] Firewalls are designed to restrict or ‘filter’ the type of IPtraffic that may pass between the private and public IP networks.Firewalls can apply restrictions through rules at several levels.Restrictions may be applied at the IP address, the Port, the IPtransport protocol (TCP or UDP for example) or the application.Restrictions are not symmetrical. Typically a firewall will beprogrammed to allow more communications from the private network (insidethe firewall) to the public network (outside the firewall) than in theother direction.

[0024] It is difficult to apply firewall rules just to IP addresses. Anyinside host (i.e. your PC) may want to connect to any outside host (aweb server) dotted around the globe. To allow further control theconcept of a ‘well known port’ is applied to the problem. A portidentifies one end of a point-to-point transport connection between 2hosts. A ‘well known port’ is a port that carries one ‘known’ type oftraffic. IANA, the Internet Assigned Number Authority specifies the wellknown ports and the type of traffic carried over them. For example port80 has been assigned for web surfing (http protocol) traffic, port 25Simple Mail Transport Protocol etc.

[0025] An example of a firewall filtering rule for Web Surfing would be:

[0026] Any inside IP address/any port number may connect to any outsideIP address/Port 80 using TCP (Transport Connection protocol) and HTTP(the application protocol for Web Surfing).

[0027] The connection is bi-directional so traffic may flow back fromthe Web Server on the same path. The point is that the connection has tobe initiated from the inside.

[0028] An example of a firewall filtering rule for email may be:

[0029] Any outside IP address/any port number may connect to IP address192.3.4.5/port 25 using TCP and SMTP.

[0030] (Coincidentally, the NAT function may change the destination IPaddress 192.3.4.5 to 10.6.7.8 which is the inside address of the mailserver.)

[0031] Filtering rules such as “any inside IP address/any port numbermay connect to any outside IP address/any port number for TCP or UDP andvice versa” are tantamount to removing the firewall and using a directconnection as it is too broad a filter. Such rules are frowned upon byIT managers.

[0032] H.323 has been designed to be independent of the underlyingnetwork and transport protocols. Nevertheless, implementation of H.323in an IP network is possible with the following mapping of the mainconcepts: H.323 address IP address H.323 logical channel TCP/UDP Portconnection

[0033] In the implementation of H.323 over IP, H.323 protocol messagesare sent as the payload in IP packets using either TCP or UDP transportprotocols. Many of the H.323 messages contain the H.323 address of theoriginating endpoint or the destination endpoint or both endpoints.Other signalling protocols such as SIP also embeds IP addresses withinthe signalling protocol payload.

[0034] However, a problem arises in that NAT functions will change theapparent IP addresses (and ports) of the source and destination hostswithout changing the H.323 addresses in the H.323 payload. As the hostsuse the H.323 addresses and ports exchanged in the H.323 payload toassociate the various received data packets with the call, this causesthe H.323 protocol to break and requires intermediary intelligence tomanipulate H.323 payload addresses.

[0035] Because of the complexity of multimedia communications, H.323requires several logical channels to be opened between the endpoint.Logical channels are needed for call control, capabilities exchange,audio, video and data. In a simple point-to-point H.323 multimediasession involving just audio and video, at least 6 logical channels areneeded. In the IP implementation of H.323, logical channels are mappedto TCP or UDP port connections, many of which are assigned dynamically.

[0036] As the firewall functions filter out traffic on ports that theyhave no rules for, either the firewall is opened, which defeats thepurpose of the firewall, or much of the H.323 traffic will not passthrough.

[0037] Therefore, both NAT and firewall functions between endpointsprevent H.323 (and other real-time protocols, SIP and MGCP for example)communications working. This will typically be the case when theendpoints are in different private networks, when one endpoint is in aprivate network and the other endpoint is in the Internet or when theendpoints are in different managed IP networks.

[0038] H.323 (and SIP, MGCP etc.) communication is therefore an anathemato firewalls. Either a firewall must become H.323 aware or someintermediary intelligence must manipulate the port assignments in asecure manner.

[0039] One possible solution to this problem would be a complete IPH.323 infrastructure upgrade. This requires:

[0040] H.323 upgrade to the NAT function at each IP network boundary.The NAT function must scan all H.323 payloads and consistently change IPaddresses.

[0041] H.323 upgrade to the firewall function at each IP networkboundary. The firewall must understand and watch all H.323 communicationso that it can open up the ports that are dynamically assigned and mustfilter all non-H.323 traffic on those ports.

[0042] Deployment of H.323 intelligence at the boundary or in the sharedIP network to resolve and arbitrate addresses. IP addresses are rarelyused directly by users. In practice, IP address aliases are used.Intelligence is needed to resolve aliases to an IP address. This H.323function is contained within H.323 entities called Gatekeepers.

[0043] The disadvantages of this possible solution are:

[0044] Each organisation/private network must have the same level ofupgrade for H.323 communication to exist.

[0045] The upgrade is costly. New functionality or new equipment must bepurchased, planned and deployed. IT managers must learn about H.323.

[0046] The scale of such a deployment will likely not be readilyadaptable to the demands placed on it as the technology is progressivelyadopted, requiring a larger and more costly initial deployment thaninitial (perhaps experimental) demand requires.

[0047] The continual parsing of H.323 packets to resolve the simple NATand firewall function places a latency burden on the signal at eachnetwork boundary. The latency tolerance for audio and video is verysmall.

[0048] Because there are a multitude of standards for real-timecommunication and each of the signalling protocols of those standardsare different, an enterprise would need multiple upgrades—one for eachprotocol it wishes to use.

[0049] The media is expected to travel directly between enterprises orbetween an enterprise and a device in the public network. Theconsequence of this is that the IP addresses of an enterprise becomepublic knowledge. This is regarded as a security compromise as anypotential attacker must first discover the enterprises IP address as thefirst step to launching an attack.

[0050] As a result of these problems, the H.323 protocol is not beingused for multimedia communications when there is a firewall and/ornetwork address translation (NAT). One approach has been to place H.323systems on the public side of the firewall and NAT functions. Thisallows them to use H.323 while also allowing them to protect theremainder of their network. The disadvantages of this are:

[0051] 1. The most ubiquitous device for video communications is thedesktop PC. It is nonsensical to place all desktop computers on thepublic side!

[0052] 2. The H.323 systems are not protected from attackers on thepublic side of the firewall.

[0053] 3. The companies are not able to take advantage of thepotentially ubiquitous nature of H.323, since only the special systemswill be allowed to conduct H.323 communications.

[0054] 4. The companies will not be able to take full advantage of thedata-sharing facilities in H.323 because the firewall will prevent theH.323 systems from accessing the data. Opening the firewall to allowdata-transfer functions from the H.323 system is not an option becauseit would allow an attacker to use the H.323 system as a relay.

[0055] 5. In the emerging Voice over IP (VoIP) market there is a marketfor telephony devices that connect directly to the data network, forexample Ethernet telephones and IP PBXes. By virtue of the desktopnature they are typically deployed on the private network behindfirewalls and NAT. Without solutions to the problems described abovetelephony using these devices is confined to the Enterprises privatenetwork or Intranet or must pass through IP-PSTN gateways to reach theoutside world.

[0056] The advantages of using the broadband connection to theenterprise for voice and video as well as data require secure solutionsto these issues.

SUMMARY OF THE INVENTION

[0057] It is an object of the present invention to address theseproblems.

[0058] Accordingly, the invention provides a communications system forhandling a communications session with a destination communicationsystem, comprising a first local terminal, an external server, one ormore logical channels between the first local terminal and the externalserver for carrying the communications session over a sharedcommunications network, said communication means including a first NATfunction through which the communications session must pass, in which:

[0059] a) the first local terminal has at least one transport addressfor the communications session;

[0060] b) the first NAT function applies network address mappings on thetransport addresses on connections between the first terminal and theshared communications network;

[0061] c) the system includes a first proxy interface agent arranged toact on behalf of the first local terminal in communications with theexternal server;

[0062] d) the first proxy interface agent is capable of establishing alogical channel on one or more outbound connections to the externalserver, said logical channel serving as a control channel between thefirst proxy interface agent and the external server;

[0063] wherein:

[0064] e) said outbound connection(s) are dynamic outbound connectionsestablished by the first proxy interface agent;

[0065] f) the first proxy interface agent is adapted to makeassociation(s) between the transport address(es) of the first localterminal and identifiable logical channel(s) between the first proxyinterface agent and the external server, said identifiable logicalchannel(s) being established on one or more of said dynamic outboundconnections from the first proxy interface agent to the external server.

[0066] Also according to the invention, there is provided a method ofhandling a communications session in a communications system, thecommunications system comprising a first local terminal, an externalserver, a first proxy interface agent between the first local terminaland the shared network, said communication means including a first NATfunction through which the communications session must pass, in whichthe method comprises the steps of:

[0067] i) carrying the communications session over a sharedcommunications network over one or more logical channels between thefirst local terminal and the external server, the first local terminalhaving at least one transport address for the communications session;

[0068] ii) allowing the first NAT function to continue to apply networkaddress mappings on the transport addresses on connections between thefirst terminal and the shared communications network;

[0069] iii) using the first proxy interface agent to act on behalf ofthe first local terminal in communications with the external server;

[0070] iv) using the first proxy interface agent to establish a logicalchannel on one or more outbound connections to the external server, saidlogical channel serving as a control channel between the first proxyinterface agent and the external server;

[0071] wherein the method comprises the steps of:

[0072] v) using the first proxy interface agent to establish dynamicoutbound connection(s) to the external server;

[0073] vi) using the first proxy interface agent to make one or moreassociations between the transport address(es) of the first localterminal and identifiable logical channel(s) between the first proxyinterface agent and the external server, said identifiable logicalchannel(s) being established on one or more of said dynamic outboundconnections from the first proxy interface agent to the external server.

[0074] The sum of the logical channels provides the communicationssession and the outbound connections create the necessary NAT mappingsthat enable inbound and outbound communications between the terminal andthe external server. Communication to and from the first local terminalis transparently mapped by the first proxy interface agent onto theidentifiable logical channels. The external server communicates with thedestination communication system as if it were the first terminal. Thecommunications system therefore can be used to provide a transparentcommunications means between the first terminal and the destinationcommunication system, the external server being responsible for onwardforwarding of the communications.

[0075] In order to allow inbound communications over TCP, previouslyestablished bi-directional outbound connections are made to establishNAT mappings.

[0076] In order to allow inbound communications over UDP, probepacket(s) are sent to establish the NAT mappings.

[0077] During the communications session, the first NAT functioncontinues to apply network address mappings to connections between thefirst proxy interface agent and the external server.

[0078] Identifiable logical channels may be multiplexed into one or moreconnections using normal multiplexing techniques.

[0079] An example of a transport address is an IP address plus a portnumber. The network address mappings will in general therefore bemappings of IP addresses and/or ports.

[0080] In one embodiment of the invention, the first proxy interfaceagent makes said associations in response to a request from the externalserver.

[0081] In another embodiment of the invention, the first proxy interfaceagent makes said associations in response to a request generated by thefirst proxy interface agent itself.

[0082] The external server itself (or alternatively the first proxyinterface agent) may also be adapted to request the external server tomake associations between the said identifiable logical(s) channels andthe logical channels of communication between the external server andthe destination communication system such as a destination terminal.

[0083] The transport address(es) of the first local terminal arepreferably assigned dynamically. Similarly, the transport address(es) ofthe external server may be assigned dynamically.

[0084] Alternatively, none of the transport address(es) of the externalserver may be assigned dynamically.

[0085] The communications system may include a first firewall throughwhich the communications session must pass. The first firewall is thenconfigured to restrict certain types of communication between the firstlocal terminal and the shared communications network and beingconfigured not to restrict communication between the first proxyinterface agent and the external server.

[0086] At least one of the transport address(es) of the external servermay have at least one pre-assigned (sometime referred to as‘well-known’) port. The outbound connections from the first proxyinterface agent to the external server then uses said pre-assignedport(s).

[0087] Preferably, all the transport address(es) of the external server,to which the said outbound connections from the first proxy interfaceagent to the external server connect, have pre-assigned ports. In thiscase, it may be that all the transport address(es) of the externalserver have at most two pre-assigned ports.

[0088] The number of pre-assigned ports of the external server may beless than or equal to the total number of dynamically assigned ports forthe terminal(s). For example, the external server may have threepre-assigned ports, one for TCP and two for UDP.

[0089] The communications system may include a second local terminal andthe external server is a proxy server between the first terminal and thesecond terminal that acts for each terminal as a proxy for the otherterminal during the course of the communications session.

[0090] In many cases, there may be a second local terminal with a secondfirewall and/or second NAT function through which the communicationsession must pass. The second firewall may then be configured torestrict certain types of communication between the second terminal andthe public communications network. The external server will then havelogical communication ports for communication with the terminalsincluding, for example, one or more pre-assigned ports for communicationwith the second terminal. The second firewall can then be configured notto restrict communication between the second terminal and thepre-assigned port(s) of the proxy server, and a second proxy interfaceagent is deployed to act on behalf of the second terminal in itscommunication with the external server. The second local terminal maythen engage in a communications session with a second proxy interfaceagent in a similar manner to that described above.

[0091] Additionally, a second terminal and second proxy interface agentmay connect to a second external server. External server(s) communicatevia the public or shared network.

[0092] The shared communications network will in general include thepublic communications network and/or the Internet.

[0093] The proxy interface agent may be co-located with the localterminal, or alternatively, the proxy interface agent may be remote fromthe local terminal.

[0094] The invention may also be useful in cases where there is morethan one local terminal per proxy interface agent. The proxy interfaceagent can then act simultaneously on behalf of terminals using the sameor different real-time (or non-real-time) protocols, for example bothH.323 and SIP. The signalling gateway functionality (for example betweenH.323 and SIP) is preferably provided within either the external serveror the proxy interface agent.

[0095] Additional features and functionality (for example QOS and/orsecurity via encryption) may be provided by the proxy interface agentand external server transparently to the endpoints.

[0096] Such a system may be used for making a voice or a multimedia callaccording to the H.323 standard of the International TelecommunicationsUnion. Alternatively, the system may be used for making a voice or amultimedia call according to the SIP standard of the InternetEngineering Task Force. Such a system and method may also be used forsetting up other types communication sessions through firewalls and NATsusing non-real-time protocols, for example file transfer, that in orderto function involve the dynamic creation of logical channels identifiedby transport addresses that are left unmodified by said NATs.Furthermore, the communications system may support mixed protocolenvironments.

[0097] The proxy interface agent may be co-located with an endpoint (forexample a PC terminal) or may reside in a separate device from theendpoint(s) it is acting on behalf of.

[0098] The terminals may be adapted to transmit and/or receivemultimedia media signals together with associated multimedia controlsignals, the control signals being sent to one of the pre-assigned portsand the media signals being sent to the other pre-assigned ports.

[0099] Preferably, at least one the logical communications ports is apre-assigned port, said request being sent to the pre-assigned port asan initial request to initiate a communication session.

[0100] The communication means may be adapted for making a voice or amultimedia call at least in part via the internet, in which case theexternal server will have a public internet protocol address by whichone or both of the terminals communicate with the external server, thefirewall(s) being configured not to restrict communication between theterminal(s) and the pre-assigned port(s) of the external server.

[0101] The invention is applicable to the case where there is one ormore pair(s) of first terminals and of second terminals. For example,several first voice or multimedia terminals at one site may each connectto corresponding other second voice or multimedia terminals at a varietyof other sites.

[0102] The invention allows two terminals located in separate privatenetworks to communicate via a common public (or shared) network in whichone or both private networks are connected to the public network viafirewalls and/or NATs that restrict certain types of communication.Equally, the invention allows one terminal in a private network tocommunicate with a terminal in a public network, wherein the twonetworks are connected by firewalls and/or NATs that restrict certaintypes of communication.

[0103] The invention will be described by reference only to theoperation between a first endpoint, herein referred to as the firstlocal terminal and an intermediary server, herein referred to as theexternal server. The operation between a second terminal and theexternal server mirrors the operation between the first terminal and theexternal server. Additionally, where the second terminal is directlyconnected to the public network, this is equivalent to it beingconnected to a private network in which the firewall and NAT implementnull functions. That is, the firewall does not restrict any connectionsand the NAT uses the same address on both sides for a given connection.

[0104] The invention involves the deployment of an external server inthe shared or public network and a proxy interface agent in the privatenetwork. The external server may be owned and operated by a publicservice provider, and thus will typically already be provisioned priorto an enterprise wishing to deploy H.323 communications across theprivate/public network boundary. The proxy interface agent may beimplemented as part of the terminal, or it may be independent of theterminal implementation, but operate on the same device as the terminal,or it may be installed on a separate device.

[0105] When enabled, the proxy interface agent will establish a TCPconnection to the external server. This connection will be via thefirewall and/or NAT if either or both are present. This requires thefirewall to allow outgoing TCP connections to the external server'saddress & well-known port(s). The NAT is able to provide a private topublic address mapping (and vice versa) because the connection iscreated in the outbound direction. As part of the setup process, theexternal server may authenticate itself with the proxy interface agent,and the connection may be encrypted. The protocol that operates overthis connection allows the multiplexing of multiple signallingprotocols. Such signalling protocols include, but are not limited to,H.225 RAS, H.225 call signalling, H.245 and SIP. Indeed, this connectionis sufficient for all communications between the first local terminaland external server for which the performance characteristics of a TCPconnection are acceptable. Once established, the multiplexed connectionwill remain largely dormant except for periodic registration messagesuntil an outgoing or incoming call attempt is made. For additionalsecurity, this connection may be continually setup and disconnected atregular (short) intervals. Each setup of the connection can potentiallycreate a different port assignment in the NAT function, and newencryption keys. Attackers' chances of exploiting this connection areconsequently reduced.

[0106] The transport characteristics of the multiplex connection are,however, not appropriate for real-time media such as audio and video.These require UDP based RTP/RTCP connections to be established betweenthe proxy interface agent and the external server. Both in-bound andout-bound RTP/RTCP connections require UDP traffic in both directions.To send media from the terminal to the public network via the externalserver, the external server sends H.323 messages to the terminal (viathe proxy interface agent using the multiplexed connection) thatinstruct the terminal to send its media to the proxy interface agent.(This can be done using standard H.323 procedures by populating thevarious data fields of the H.323 messages with address and port valuesthat give the illusion that the terminal and proxy interface agent arethe two ends of the H.323 call.) The proxy interface agent must thenestablish UDP data exchange both to and from the external server throughthe firewall and/or NAT.

[0107] In principle the proxy interface agent can establish a UDPconnection to the external server by simply sending a UDP packet to theaddress and well-known port(s) of the external server. The firewall canbe configured to let this traffic through, and the NAT can create aprivate-to-public address mapping because the connection is created inthe outbound direction. However, a device that handles multiple callsinvolving many UDP connections (such as the external server) typicallyuses the IP destination address and port, and/or IP source address andport to associate the UDP information with the appropriate call. In thecase of the external server, all the UDP data must be sent to the sameIP address and one of the well-known ports in order to be allowedthrough the firewall. Therefore the IP destination address and port maynot be used to differentiate the various UDP connections. Also, from theperspective of the external server, the NAT will assign an effectivelyrandom source IP address and port to the UDP packets that it sends. Theresult is that the IP source address and ports of the UDP data thatarrives at the external server will not correspond to any of the mediachannels that the external server (or alternatively the proxy interfaceagent) has negotiated through the various signalling channels.

[0108] To solve the association problem, the external server (oralternatively the proxy interface agent) instructs the proxy interfaceagent (via the TCP based multiplexed connection) to send it a probepacket using the same IP source and destination addresses and ports thatthe proxy interface agent will send subsequent UDP data for thisconnection. The probe packet contains a unique token chosen by theexternal server (or alternatively the proxy interface agent) that allowsthe external server to associate the received probe packet with theappropriate UDP connection. In turn, the external server can associatethe IP source and destination addresses and ports of the probe packetwith the UDP connection. Knowing this address and port information theexternal server can associate UDP data subsequently received with theseIP addresses and ports with the appropriate call enabling it to forwardcorrectly to/from the destination communication system. In analternative embodiment of the invention, the token information can bemultiplexed in with each UDP packet that is sent. Additionally, multiplelogic channels can be multiplex onto the same UDP connection. Theadvantage of taking the latter approach is to conserve port usage in theproxy interface agent. A second advantage is to reduce bandwidth takenby the UDP header information that is normally sent on every RTP/RTCPpacket. When a smaller number of TCP and UDP connections are usedbecause of the multiplexing of logical channels, those connections maybe place onto pre-assigned or well-known ports at the proxy interfaceagent. This allows a further tightening of the firewall rules.

[0109] To send data from the external server to the proxy interfaceagent, it is necessary for a public-to-private address mapping to bemade in the NAT. As this is typically a 1-to-many mapping, NATs aretypically unable to dynamically make such a mapping. However, it isobserved that the network path established when making an outgoing UDPconnection from proxy interface agent to external server as describedabove is in actual fact bi-directional in nature. Hence, to establish aUDP connection from the external server to the proxy interface agent,the same steps as for establishing a UDP connection from the proxyinterface agent to the external server are followed. However, once theassociation of addresses and ports is established, the external serveruses this information to send UDP data rather than receive UDP data. Theproxy interface agent will then send the UDP data on to the terminal.Standard H.323 signalling using appropriate address and port values canbe used to prepare the terminal to receive the UDP data from the proxyinterface agent.

[0110] As has been described, the first proxy interface agent and theexternal server provide a communication system and method to enable thefirst terminal to communicate with a destination communication systemthrough unmodified NATs and Firewalls. This is accomplished by:

[0111] a) modifying the addresses in the protocol (H.323, SIP etc.) suchthat the terminal communicates with the first proxy interface agent asif it were the destination communication systems and the destinationcommunication system communicates with the external server as if werethe first terminal; and by

[0112] b) dynamically making association between 1) the logical channelsused by the first terminal with 2) identifiable logical channels fromthe first proxy interface agent to the external server, saididentifiable logical channels being created on dynamic outboundconnection(s) from the first proxy interface agent to the externalserver with 3) the logical channels between the external server and thedestination communication system.

[0113] Modifications to the addresses within the protocol may be made bythe external server, the first proxy interface agent or both. Whereversaid modifications are made, requests and instructions need to becommunicated between the first proxy interface agent and external serverso that said dynamic associations can be made. Requests and instructionsare carried in a client-server protocol between the first proxyinterface agent (client) and external server (server), saidclient-server protocol being carried over the control channel that isalso carried on an outbound connection from the first proxy interfaceagent to the external server.

[0114] When the external server is responsible for making the addressmodifications in the protocol, the external server is said to be masterof the client-server protocol and the first proxy interface agent is theslave.

[0115] When the first proxy interface is responsible for making theaddress modifications in the protocol, the first proxy interface is saidto be master of the client-server protocol and the external server agentis the slave.

[0116] When both first proxy interface agent and external make protocolmodifications, they may negotiate or be configured to make one themaster, the other, the slave.

[0117] Because one or more outbound connections from the first proxyinterface agent for one or more calls may arrive at the same transportaddress at the external server, and said outbound connections may havepassed through one or more NATs that cause the source address of theoutbound connections to be randomised, probe packets containing knownidentifiers, said identifiers being exchanged between first proxyinterface agent and external server (or vice versa), are used toestablish said outbound connections. Said identifiers enable theexternal server to complete the association it needs to correctlyforward the call to/from the destination communication system.

BRIEF DESCRIPTION OF THE DRAWINGS

[0118] The invention will be described by way of example, with referenceto the accompanying drawings, in which:

[0119]FIG. 1 is a schematic diagram of a communications system accordingto the invention for making a voice or a multimedia call between twoenterprises in which the proxy interface agent is co-located with anendpoint;

[0120]FIG. 2 is a schematic diagram similar to that of FIG. 1, exceptthat the proxy interface agent is remote from the endpoint; and

[0121]FIG. 3 is a schematic diagram of the communications systems ofFIGS. 1 and 2, showing the logical channels on outbound connections forboth outbound and inbound communications, at one enterprise between thelocal terminal and the external server.

DETAILED DESCRIPTION

[0122] The alternative to a complete H.323 upgrade is presented in theexample described with reference to FIG. 1. This shows a communicationsystem 1 having a first enterprise 2 and a second enterprise 4, each ofwhich include private networks 6,8 both of which have one or more H.323terminals 10,12. Each private network 6,8 has private IP addresses 14,16coincidentally within the 10.x.x.x address range. The private IPaddresses 14,16 may result from a static assignment or dynamicassignment through normal DHCP procedures. Included in the privatenetworks 6,8 are proxy interface agents 11,13 that act on behalf ofterminals 10,12 respectively. If the proxy interface agents are notco-located with their respective terminal(s), then the proxy interfaceagent(s) will have a unique IP address within the range of theirrespective private networks 14,16. In such cases, each proxy interfaceagent 11,13 may act on behalf of multiple terminals 10,12. In FIG. 1,the proxy interface agents are shown as co-located, and in FIG. 2 theyare shown not co-located. External communication is via a shared,managed or public Internet 20. For external communication, the firstenterprise 2 has one or more public IP address(es) 22, for example in arange beginning at 192.1.1.1 and the second enterprise 4 has one or morepublic IP address(es) 24, for example in a range beginning at 206.1.1.1.Each enterprise has a router 32,34 that applies Network Address PortTranslation (NAPT) to dynamically map between inside IP addresses 14,16and port numbers on those addresses(private) and one of the outside IPaddresses 22,24 and the port numbers on the select IP address(public).

[0123] The private networks 6,8 are optionally each protected at theiredges with firewall functions 26,28. The firewall functions areconfigured with the rules shown in Table 1 to allow real-timecommunications such as those based on H.323. The rules take into accountthe two or more new well known ports proposed under an earlierinvention, referred to as X,Y and Z. Port Z may in practice be equal toeither X or Y. TABLE 1 From IP From To IP To IP Rule Address PortAddress Port protocol Application 1 Any Any External Z TCP Outboundserver Multiplex Connection 2 External Z Any Any TCP Inbound serverMultiplex Connection 3 Any Any External X UDP Outbound server Media(RTP) 4 External X Any Any UDP Inbound server Media (RTP) 5 Any AnyExternal Y UDP Outbound server Media (RTCP) 6 External Y Any Any UDPInbound server Media (RTCP)

[0124] In Table 1, ideally the listed port numbers, X, Y and Z areregistered port numbers according to standards agreed to by IANA. Theadvantage of these ports being industry standard ports is thatintermediary equipment such as firewalls and routers would know theassociated media is real-time traffic and could, therefore, handle itappropriately, for example a router could give it higher priorityforwarding in order to minimise delays.

[0125] In order for H.323 terminals 10 in the first enterprise 2 tocommunicate with other H.323 terminals 12 in the second enterprise 4,there must exist a shared network 20 to which a external server 40 isconnected, for example, via a router 38. The external server 40 has apublic IP address 44, for example 45.6.7.8. The external server wouldalso have new well known ports numbers X,Y and Z 46 that would have tobe agreed and registered in advance with IANA.

[0126]FIG. 3 shows the communications paths between the various entitiesfrom the perspective of the first terminal 10, the first proxy interface11, the first firewall 26, the first NAPT router 32 and the externalserver 40. The figure shows the multiplex connection 51 between theproxy interface agent 11 and the external server 40, via the firewall 26and NAPT router 32. Within the multiplex connection 51 are one or morelogical channels 52, 53. One of these is the control channel 52, whilethe others 53 carry signalling protocols such as H.225 RAS, H.225 callsignalling, H.245, SIP and MGCP. As part of the operation describedbelow, the proxy interface agent 11 will send probe packets 55 to theexternal server 40, and establish UDP connections 56, 57 between theterminal 10 and the external server 40. One or more logical channels maybe multiplexed into the UDP connections 56, 57 to carry media such asRTP and RTCP for example.

[0127] The proxy interface agent 11 may operate in one of a number ofmodes depending on operational requirements. Principally it can beeither protocol agnostic or protocol aware. If it is protocol agnosticthe external server 40 will command the proxy interface agent 11 to openand close any UDP sockets needed. This is the most flexible mode as itallows terminals employing new protocols to be added to the privatenetwork without upgrading the proxy interface agents 11. However,without due care, this could present a security threat as third partiescould instruct the proxy interface agent to open UDP channels forillicit purposes. For this reason, if this mode is adopted, it isrecommended that as a minimum the proxy interface agent 11 perform someform of auditing. If the proxy interface agent 11 is protocol aware,then it can allocate ports when instructed by the external server 40,but not implement the relaying function until it has observedappropriate protocol signalling to indicate that these ports are beingused for an approved application. Further more, when the proxy interfaceagent is protocol aware, there is no need for the external server to beprotocol aware because the proxy interface agent now has all theintelligence with which to request the external server to make thenecessary associations so it can provide the correct forwarding betweenthe logical channels that are established on outbound connections fromthe proxy interface agent to the external server and the destinationcommunication system (i.e. the call). This mode is more secure, but lessflexible with regard to deploying new applications, or applicationupgrades. For simplicity, the example described below assumes the proxyinterface agent 11 is operating in the protocol agnostic mode.

[0128] When the proxy interface agent 11 is enabled it establishes amultiplex connection 51 as a communications channels to the externalserver 40 by initiating an outbound TCP connection to the address andport of the external server 44, 46. (This connection will typically beauthenticated and encrypted, but such matters are beyond the scope ofthis document.)

[0129] The multiplex connection 51 is capable of transporting theinformation pertaining to multiple TCP and UDP sessions 52, 53. Some ofthe logical channels within the multiplex connection 51 will bestatically allocated; in particular the control channel 52. Otherlogical channels can be dynamically created as the need arises. Some ofthe logical channels 53 will be relayed to/from the terminal 10 by theproxy interface agent 11. With each such logical channel the proxyinterface agent 11 (or the external server depending on implementation)associates the IP addresses and ports of the specific TCP or UDPconnection 10 used between the proxy interface agent 11 and the terminal10. In other words, the proxy interface agent makes an associationbetween a transport address of the terminal and the transport address onits own end of a logical channel.

[0130] As part of the initial configuration, the external server 40 mayinstruct the proxy interface agent 11 to create sockets to listen forregistration information and outgoing call attempts from the terminal10.

[0131] If the terminal 10 subsequently attempts to register with agatekeeper/server, such messages (H.225 RAS, SIP REGISTER etc.) may besent to the proxy interface agent 11. The proxy interface agent 11 willforward the registration messages to the external server 40 via alogical channel 52 or 53. Any responses are sent using the reverseroute. The external server 40 will store the terminal's privatetransport address 14 along with the identity or transport address of themultiplex connection 51 on which the registration was received. Thisinformation is sufficient to forward incoming calls to the terminal whenthe need arises.

[0132] To establish an incoming call the external server 40 needs 35 toestablish a call control channel (H.225 call control for H.323 or SIP)to the terminal 10 via the proxy interface agent 11. If an appropriatelogical channel 53 does not already exist between the external server 40and the proxy interface agent 11, such a logical channel isinstantiated. As part of this process, the terminal's private transportaddress (IP address and port) 14 to which the proxy interface agent 11is to create the TCP or UDP connection 54 is specified. The messagesneeded to create the logical channel 53 are exchanged between theexternal server 40 and the proxy interface agent 11 using the controllogical channel 52.

[0133] Once the logical channel for the call control signalling has beencreated the external server 40 can send an H.323/SIP create call message(Setup for H.323, INVITE for SIP etc) to the proxy interface agent 11.The proxy interface agent will then relay this message to the terminal10 using the TCP or UDP connection 54 established when the logicalchannel 53 was created.

[0134] In the case of H.323 it may be necessary to establish an H.245connection between the external server 40 and the terminal 10. Theaddress within the terminal 10 to which this connection is to connect iscontained in the responses sent back to the external server 40 by theterminal 10. If the external server 40 chooses to establish such anH.245 session, then it creates a new logical channel 53 in the same wayit created the call-signalling channel. As part of this procedure theproxy interface agent 11 will establish a TCP connection to the privateIP address and port specified in the terminal's responses.

[0135] For an outgoing call, a signalling path can be created betweenthe terminal 10 and the external server 40 when the terminal 10 connectsand sends a create call message (Setup for H.323, INVITE for SIP etc) tothe proxy interface agent 11. If a logical channel 53 for this type ofconnection does not already exist within the multiplex connection 51,then such a logical channel is created by the proxy interface agent 11using the control channel 52. The proxy interface agent 11 can thenrelay the message(s) to the external server 40.

[0136] If a separate H.245 connection is required for the outgoing call,the external server 40 will create a new logical channel 53 within themultiplex connection 51 and instruct the proxy interface agent 11 tocreate a listening socket. The values of address and port of the createdsocket are returned to the external server 40, which it includes in theH.323 signalling sent in response to the Setup message. This informationallows the terminal 10 to connect to the listening socket created by theproxy interface agent 11.

[0137] Once the necessary incoming or outgoing call control paths havebeen established it may be necessary to establish outbound and inboundmedia paths. As described earlier, the media paths of all currentlydefined IP based multimedia applications (including H.323, SIP and MGCP)use RTP. RTP is based on UDP, and a unidirectional RTP connectionrequires both forward and reverse UDP paths to be established. It is,therefore, necessary to establish UDP paths from the terminal 10 to theexternal server 40 via the proxy interface agent 11, and from theexternal server 40 to the terminal 10, again via the proxy interfaceagent 11. Additionally, the RTP and RTCP connections require a fixedrelationship between the ports they use. Therefore, in addition to beingable to open a single port at a time, it is necessary to be able to openUDP port pairs which have the necessary RTP/RTCP port numberrelationship. Therefore, while the text below describes opening a singleconnection, the same principles can be employed to simultaneouslyrequest and open port pairs.

[0138] The following discussion assumes that the H.323 protocol is beingused. The sequences of protocol messages versus control messages mayvary for other protocols (such as SIP and MGCP), but the principlesremain the same.

[0139] To establish a UDP path between the terminal 10 and the externalserver 40, the external server 40 instructs the proxy interface agent 11to open a UDP port (or port pair) that the terminal 10 can connect to.The external server 40 also specifies a token that the proxy interfaceagent 11 should associate with the connection.

[0140] On successfully opening the port, the proxy interface agent 11indicates to the external server 40 the identity of the port. Theexternal server is then able to issue the necessary signalling commandsto open a media channel (e.g. H.245 Open Logical Channel in the case ofH.323) containing the private IP address and port on the proxy interfaceagent 11 to which the terminal 10 should send its UDP data. On receptionof this command, the proxy interface agent relays the command to theterminal using the connection established previously for this purpose.

[0141] The terminal 10 can now start sending RTP and RTCP UDP packets 56to the proxy interface agent 11. However, prior to forwarding thesepackets to the external server 40, the proxy interface agent 11 mustsend probe packets 55 which contain the token specified by the externalserver 40 when the connection was initially configured. In addition tocreating a private-to-public address mapping in the NAPT, the presenceof the token allows the external server 40 to associate UDP packets 57received from the source of these probe packets 55 with the correctlogical media channel. Note that it is preferable to defer sending theprobe packets 55 for as long as possible as if they are sent too earlythe address mappings created in the NAT may time out before any mediadata 56 is sent. Also, it is necessary to be aware that, being UDP, theprobe packets 55 may be lost. It is therefore necessary to have theability to send more than one probe packet 55 for a given connection.Once a probe packet 55 has been sent, the proxy interface agent canrelay received UDP data 56 to the external server 40 (as item 57).Alternatively, the token information can be multiplexed into each UDPpacket that is sent. Additionally, multiple logical channels may bemultiplexed onto one or more UDP connections.

[0142] The method of operation is similar for an inbound UDP connection.The external server 40 instructs the proxy interface agent 11 to open aport (or port pair) that can be used to send UDP data to the terminal10. The proxy interface agent 11 informs the external server 40 of theidentity of this port. The external server 40 can then include thisinformation in the protocol specific signalling command to open a mediachannel (e.g. H.245 Open Logical Channel in the case of H.323) that issent to the terminal 10 via the proxy interface agent 11. The terminal10 will reply to this command, giving the private IP address and port atwhich it wishes to receive UDP data for the connection. This message isrelayed back to the external server 40. The external server 40 can theninform the proxy interface agent 11 of the address to which it shouldrelay UDP data for this connection. Further, to create thepublic-to-private address mapping in the NAT, the external server 40requests that the proxy interface agent 11 send probe packets 55 forthis connection to the external server 40 containing a token. Thiscreates a private-to-public address mapping that in turn acts as apublic-to-private address mapping for data sent in the reversedirection. The external server 40 uses the token in the probe packet 55to determine which NAT address and port it should send UDP data to forthis session 57. The external server 40 may now start sending UDP media57 to this address. The NAT will relay this to the proxy interface agent11, which will in turn relay it to the terminal 10 (as item 56), thuscompleting the connection.

[0143] When the UDP connections are no longer required, the externalserver 40 will instruct the proxy interface agent 11 to close theassociated sockets. Any private-to-public address mappings in the NAPTwill eventually time out as no data will be passing through them.

[0144] In this illustration of the invention, we have assumed that theexternal server is a single device with a single IP address. In otherembodiments of the invention the ‘external server’ may be severalco-operating devices. Additionally, the external server device(s) mayeach have one or multiple IP addresses. Where multiple IP addresses areused, the normal practise is to allocate them from a single subnet, thenthe programming of the firewall rules becomes specifying the allowedports to and from a subnet rather than individual IP addresses.

[0145] Note that the private IP address and port numbers of an H.323terminal may in fact be the same as the public IP address and portnumbers to which it is mapped, in which case the mapping is transparent.

[0146] The advantages of the approach described above are that:

[0147] NAT and firewall functions do not need to be upgraded.

[0148] Latency of the signal is kept to a minimum.

[0149] Organisations only require a protocol agnostic proxy interfaceagent(s) that can be used with any appropriate real-time protocol.

[0150] The IP address(es) of the enterprise does not become publicknowledge through process of making calls with that enterprise

[0151] Quality of service and other usage based policies (bandwidthutilisation for example) may be implemented piecemeal and don't need asingle consistent end-to-end solution. For example, the external servermay instruct the proxy interface agent to process one media streamwithin a call with a certain QOS level, using a method that isappropriate to the connection between the proxy interface agent and theexternal server, the external server may then map that to correspondingQOS levels available to it in the core network. Likewise, a method ofencryption may be used between the proxy interface agent and theexternal server independently of security mechanisms used for the otherparts (legs) of the call.

[0152] In summary, the invention provides a method and a system forallowing H.323 (or other real-time protocol conformant endpoints)terminals located in private IP networks that: does not compromise theexisting security procedures and measures; that avoids the need toupgrade existing firewalls, routers and proxies; and that allows fullNAT to be applied to IP connections without the NAT functioninterpreting or understanding the communications protocol being used.The invention also permits standard H.323 equipment in one privatenetwork to communicate with other H.323 terminals in the same ordifferent private and/or public IP networks via an protocol independentproxy interface agent and via an H.323 proxy server using a shared orpublic IP network.

[0153] Organisations can therefore subscribe to a shared resource in ashared IP network. Costs are kept to a minimum and security is notcompromised.

[0154] It is to be recognized that various alterations, modifications,and/or additions may be introduced into the constructions andarrangements of parts described above without departing from the spiritor scope of the present invention, as defined by the appended claims.

1. A communications system for handling a communications session with adestination communication system, comprising a first local terminal, anexternal server, one or more logical channels between the first localterminal and the external server for carrying the communications sessionover a shared communications network, said communication means includinga first NAT function through which the communications session must pass,in which: i) the first local terminal has at least one transport addressfor the communications session; ii) the first NAT function appliesnetwork address mappings on the transport addresses on connectionsbetween the first terminal and the shared communications network; iii)the system includes a first proxy interface agent arranged to act onbehalf of the first local terminal in communications with the externalserver; iv) the first proxy interface agent is capable of establishing alogical channel on one or more outbound connections to the externalserver, said logical channel serving as a control channel between thefirst proxy interface agent and the external server; wherein: v) saidoutbound connections are dynamic outbound connections established by thefirst proxy interface agent; vi) the first proxy interface agent isadapted to make association(s) between the transport address(es) of thefirst local terminal and identifiable logical channel(s) between thefirst proxy interface agent and the external server, said identifiablelogical channel(s) being established on one or more of said dynamicoutbound connections from the first proxy interface agent to theexternal server.
 2. A method of handling a communications session in acommunications system, the communications system comprising a firstlocal terminal, an external server, a first proxy interface agentbetween the first local terminal and the shared network, saidcommunication means including a first NAT function through which thecommunications session must pass, in which the method comprises thesteps of: i) carrying the communications session over a sharedcommunications network over one or more logical channels between thefirst local terminal and the external server, the first local terminalhaving at least one transport address for the communications session;ii) allowing the first NAT function to continue to apply network addressmappings on the transport addresses on connections between the firstterminal and the shared communications network; iii) using the firstproxy interface agent to act on behalf of the first local terminal incommunications with the external server; iv) using the first proxyinterface agent to establish a logical channel on one or more outboundconnections to the external server, said logical channel serving as acontrol channel between the first proxy interface agent and the externalserver; wherein the method comprises the steps of: v) using the firstproxy interface agent to establish dynamic outbound connection(s) to theexternal server; vi) using the first proxy interface agent to make oneor more associations between the transport address(es) of the firstlocal terminal and identifiable logical channel(s) between the firstproxy interface agent and the external server, said identifiable logicalchannel(s) being established on one or more of said dynamic outboundconnections from the first proxy interface agent to the external server.3. The method of claim 2, in which the first proxy interface agent makessaid associations in response to a request from the external server. 4.The method of claim 2, in which the first proxy interface agent makessaid associations in response to a request generated by the first proxyinterface agent itself.
 5. The method of claim 2, in which the externalserver itself (or alternatively the first proxy interface agent) isadapted to request the external server to make associations between thesaid identifiable logical(s) channels and the logical channels ofcommunication with a destination communication system such as adestination terminal.
 6. The method of claim 2, in which thecommunications system includes a client-server protocol on the controlchannel wherein: i) the client-server protocol on the control channel isused to enable the dynamic association of (a) logical channels ofcommunication used by the first terminal, with (b) identifiable logicalchannel(s) between the first proxy interface agent and the externalserver, said identifiable logical channel(s) being established on one ormore of said dynamic outbound connections from the first proxy interfaceagent to the external server, with (c) logical channels of communicationbetween the external server and a destination communication system,resulting in the appearance that the first terminal is located attransport addresses on the external server and the destinationcommunication system is at the first proxy interface transportaddresses.
 7. The method of claim 6, in which the external server isadapted to be master of the client-server protocol and also to modifythe transport addresses being carried in the real-time (ornon-real-time) protocol, in order that the first terminal communicateswith the first proxy interface agent as if it were a destinationcommunications system, and the destination communications systemcommunicates with the external server as if it were the first terminal.8. The method of claim 6, in which the first proxy interface agent isadapted to be master of the client-server protocol and also to modifythe transport addresses being carried in the real-time (ornon-real-time) protocol, in order that the first terminal communicateswith the first proxy interface agent as if it were the destinationcommunications system, and the destination communications systemcommunicates with the external server as if it were the first terminal.9. The method of claim 2, in which the transport address(es) of thefirst local terminal are assigned dynamically.
 10. The method of claim2, in which the transport address(es) of the external server areassigned dynamically.
 11. The method of claim 2, in which none of thetransport address(es) of the external server are assigned dynamically.12. The method of claim 2, in which the communications system includes afirst firewall through which the communications session must pass, thefirst firewall being configured to restrict certain types ofcommunication between the first local terminal and the sharedcommunications network and being configured not to restrictcommunication between the first proxy interface agent and the externalserver.
 13. The method of claim 2, in which at least one of thetransport address(es) of the external server have at least onepre-assigned port, and the outbound connections from the first proxyinterface agent to the external server uses said pre-assigned port(s).14. A method as claimed in claim 13, in which all the transportaddress(es) of the external server have pre-assigned ports.
 15. Themethod of claim 14, in which all the transport address(es) of theexternal server have at most two pre-assigned ports.
 16. The method ofclaim 2, in which all the transport address(es) of the proxy interfaceagent are assigned dynamically.
 17. The method of claim 2, in which atleast one of the transport address(es) of the proxy interface agent usespre-assigned ports.
 18. The method of claim 2, in which all thetransport address(es) of the proxy interface agent uses pre-assignedports.
 19. The method of claim 2, in which the communications systemincludes a second local terminal and the external server is a proxyserver between the first terminal and the second terminal that acts foreach terminal as a proxy for the other terminal during the course of thecommunications session.
 20. The method of claim 2, in which thecommunications system includes a second local terminal and a secondexternal server which acts as a proxy for the second terminal andcommunication between the first external server and the second externalserver is via a public network or a shared network.
 21. The method ofclaim 2, in which the shared communications network includes the publiccommunications network.
 22. The method of claim 2, in which the sharedcommunications network includes the Internet.
 23. The method of claim 2,in which the proxy interface agent is co-located with the localterminal.
 24. The method of claims 2, in which the proxy interface agentis remote from the local terminal.
 25. The method of claim 2, in whichthere is more than one local terminal for the proxy interface agent. 26.The method of claim 2, in which the proxy interface agent simultaneouslyacts on behalf of terminals using different real-time and/ornon-real-time protocols.
 27. The method of claimed in any of claim 2, inwhich the external server simultaneously acts on behalf of terminalsand/or proxy interface agents using different real-time and/ornon-real-time protocols.